Hi All, Just wondering if anyone knows about event ID'd within security log of 2003 server? I ma trying to audit bad passwords on our network Event ID 675. When a user enters a bad password loggin onto a machine it triggers event id 675 with service name krbtgt\domain, after 4 attempts they are locked out. However during the course off the day I am noticing the same event ID trigger maybe 20 times a day with no lockout. The only difference is the event ID has a service name of krbtgt\domain.net.local. Anyone know why their is a differnce in service names within the event ID?

Maybe this will help http://www.windowsecurity.com/articles/Kerberos-Authentication-Events.html Bits of Fury

maybe the user is trying to log on to the local machine as opposed to logging on to the domain and is using a bad password or the user name is not setup on the local machine account...... the local lock out polcy is different from the domain policy lockout.

Hi, Please provide your domain architecture which help us to troubleshoot efficiently.How many domains are present ?i guess there is a domain by name .net.local.Provide us the unedited event id ( you could see the realm name in the event id for the dns name which is getting registered)

Hi,You can use the EventCombMT to help you troublshooting AccountLockout issue, please refer to: How to use the EventCombMT utility to search event logs for account lockouts http://support.microsoft.com/kb/824209More information at:Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0http://support.microsoft.com/kb/315585Best Regards,Wilson Jia This posting is provided "AS IS" with no warranties, and confers no rights.

We have about 6 domains however some of these are unused and trust relationship has been removed, also users can only log on to 1 domain from the 6 available from the drop down list. My bigges concern is that event ID 675 is triggered all thru the nite and not done by a specific user. Also when the service nams is fqdn is never locks hte acount out. I just want to understand why there is a differnece in service names.